Slashdot Mirror
Are Background Checks Necessary For IT Workers?
4foot10 writes "UBS PaineWebber learned a hard lesson after hiring an IT systems admin without conducting a background check. Now its ex-employee is slated to be sentenced for launching a 'logic bomb' in UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades."
"What do you know about your own people?" asks Alan Paller, director of research at the SANS Institute, a security firm. ...nuff said.
Would you like your email to be read by someone you don't even know? Well that is what could happen if you hire a SysAdmin and do not conduct a background check. I know that I would actually prefer if my name was run through a background check so that management can actually trust me instead of always wondering.
if you have a business please pay folks in this order
1 your money people
2 your lawyer
3 your coders
4 yourself
5 the balance
Any person using FTFY or editing my postings agrees to a US$50.00 charge
So let me ask this. What makes IT/IS people any less likely to do Bad Things(tm) than anyone else? If you feel the need to do background checks on everyone, then do them on everyone. Just be warned: A background check doesn't work the same as inspiring loyalty in your workers.
Fill in your four or five-letter word of wisdom here _ _ _ _ _.
What for? There are limits to croporate paranoia. How many people are genuinely untrustworthy?
Background checks are a blatant violation of our right to privacy!
Our entire civilization will be replaced by a fascist tyranny the moment we allow background checks to happen!
Any sufficiently well-organized community is indistinguishable from Government.
"a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes."
That means a background check won't catch 70% of the malicious insiders. This article is meaningless without info about the rates of attacks from insiders who would've passed or failed background checks. It's a reasonable hypothesis to say that IT workers with criminal records are more likely to launch insider attacks, but there's no scientific evidence of it in this article. It's all fluff based on one person's case.
No organization that large should technolgically empower a single person to be able to do that much damage without some sort of review process that would have caught the problem.
Did his changes get reviewed by his peers?
Did they go through some sort of QA process?
While it's a bit scary that they hired a criminal, that's hard to avoid in any large organization.
What's really *really* scary is that their internal processes let him do that much damage. I'd be worried if I were their customer.
Is this a serious question? Are background checks necessary for Sys Admins at a financial institution?
Sure, he had a criminal record with offenses 20 to nearly 40 years prior to the time he was hired. I don't see that that's a real indication that he is likely to lauch a "logic bomb".
I've certainly heard plenty of stories about disgruntled IT workers in sensitive positions doing things like that—usually a criminal history isn't mentioned. Is there any evidence that there is a correlation between that and long-past criminal convictions that aren't closely related to the kind of damage they later do?
Or is this just a case of "Ooh, something bad happened, lets look for something about the person that might explain it, and then assume that this proves the general utility of background checks"?
Do a cost/benefit analysis. If you're a small computer repair shop with 5 employees, then it's probably a waste of your limited funds to do a background check, especially if doing so delays the hiring process. You'll be keeping close enough supervision to catch any egregious acts anyway. If the employee is going to have root access to 10,000 computers, then maybe a thorough background check is in order.
The only thing a background check really proves is that a person has not been caught at anything yet. It's the ones that get away with nefarious actions that you really have to worry about (Note, I'm not one of those nefarious people, though I'm sure someone will bring that up).
Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer [... who] spent about $3.1 million to assess the damages and restore the computer systems, [... and] haven't reported how much was lost in business downtime.
In retrospect, it appears that the entire event, as well as the financial damages and the hit to the company's reputation, could've been avoided if UBS PaineWebber, a giant in the financial community, had done a background check on Duronio when he had been hired.
And I see the problem as being caused by a lack of bonuses in IT. Prevent logic bombs, give your IT workers large bonuses!
(I'm talking to you, boss)
Learn to love Alaska
If you look at where firms lose the most money, and the risk factors, it's the lack of realistic background checks and clawback contracts for CEOs and CFOs that puts a company at risk, then the accounting staff, then sales and shipping staff, and way down you have IT staff.
Let's get real.
-- Tigger warning: This post may contain tiggers! --
I think it depends on the business you're in, since that level of distrust isn't necessary in every organization. Anyone in a position of trust can eventually escalate their privileges, unless you have extremely strict access controls.
Ultimately, the guy did it because he didn't get a big enough bonus. His sour grapes = fucked company.
IMO, if you're going to run background checks, it isn't enough to just scan the critical (IT) guys. If you aren't checking everyone who could be a potential threat, then it's mostly just hand waving.
[Fuck Beta]
o0t!
I've always been under the assumption that, given proper preparation and time, a high-level IT guy with good enough access could repeat everything that happened in the Enron scandal. As of now, most incidents I've heard of seem to be just one guy trying to nail a company that angered him, but it's only a matter of time before someone decides to milk a company for all it's worth (or maybe it's happened and I just haven't heard about it). Preventing that sort of thing would probably be a good idea, to say the least.
Besides, other positions require background checks. Why would IT be different?
"everything you've been programmed is a lie"
I didn't know that the headline questions were allowed to be rhetorical.
But then, taco could just hire an unknown editor, sans background check, to help with the editing. Because, what could go wrong?
Don't disappoint your bird dog. Go to the range.
I GOTFA (Glanced Over The Article), his offenses didn't appear computing related and some date back to the 1960's. How many people with such backgrounds are working in similar jobs and not committing these crimes? Sure, background checks may get you hiring all the goodie goodies from the straight and narrow path .. but maybe you'll miss out on some folks who made mistakes in the past but are well qualified for their job.
.. but it seems people are getting less and less forgiving, more and more mistrustful, and increasingly afraid of one another. There used to be a time when a stranger could walk into a town and be taken into a home. There also used to be a time when you could hitchhike .. nowadays people are afraid to pick up hitchhikers. How soon before we need to get ID checks before walking into a grocery store (after all people with histories tend to rob stores)?
Sure, I understand the whole "safe better than sorry" thing
Maybe someday somebody will prove that its paranoia itself that's manifesting crime because the more we distrust each other, the less anyone is concerned about wronging the next guy.
And no, I don't have a record!
Yes, of course admins with the ability to wreak major havoc at an organization should have to undergo background checks. Several years ago I worked at a Fortune 500 company, and there were no background checks done at all for IT staff. Turns out we hired a guy who used a fake name and someone else's social security number, and he worked as one of our main sysadmins for over a year, with privileges on probably 100 servers and full privileges on the email servers, before he was caught. I thought background checks were a waste of time until that...scared me half to death because no one had any idea what he'd done in all that time, and worse, no idea who he actually was.
Sorry for that. The story mentions that this person had prior convictions for minor crimes on his record when he was hired. They didn't run a background check on him before they put him in control of over 2,000 servers. Then they screwed him on his bonus and he screwed them. Now he's going to jail.
It sounds to me like their HR department was incompetent, the management was incompetent and they gave an employee too much control. I don't think any one employee should have that much control over a company's IT infrastructure. And you NEVER give high level people root access. Instead, you break your organization into regions, with a top admin for each region. Then no one person has complete control over the infrastructure. Ideally you would spread the information across many datacenters also, with journalled backups/replication going both ways. When you get to a certain size, you need to have checks and balances. Smaller businesses can get away with that stuff, provided you have a good backup policy. Again, you need to have multiple copies of the current dataset in the control of many different people.
Of course, you probably have proprietary software that gets worked on by 5 or 6 programmers that gets disseminated out to every machine, which is also a weak spot. Tight controls on those people are necessary also, but there's little you can do to stop a programmer from trojanning proprietary software for some future date when he's in the islands somewhere under a false identity.
Can a background check stop a determined employee from wreacking havoc within his box? No. But everyone knows it's not a bad idea to know your employees a little before giving them that kind of access.
Cool! Amazing Toys.
How would this ever prevent a first offense??
I just got a new job that required a background check. This company, before the offer even came has ALL my info. I have nothing on them and even if I QUESTION the hiring practice my application is denied.
How do I know I can trust them with my personal history?
Larger companies are just as Evil(TM) as the smaller ones. It is NONE of my employer's business where I lived 5 years ago. I'm not paranoid but subjecting people to a test that's limited in scope of Evil(TM) is evil.
This is something that has affected me in the past year, while trying to get a job in the industry. I can completely understand background and credit checks, but at the same time, many perspective employers do not even give me a chance to explain myself, or the reason things came up. Granted, I'm only 24, and people see me as some damn kid who wants to show off to his friends, but that is completely opposite of what I'm there to do. I can understand that perspective employers see several arrests as a juvenile, and I'm instantaneously blacklisted. My credit has gone to shit too, especially after a messy divorce that has drug on for way too long. /end rant
Ok, so I know I'm going to get modded down on this, but it's something that is really never spoken about. True, it can affect the job search for many of us, but I support having background checks, on the condition that we the person being investigated be offered a chance to explain ourselves, and to not become prospective employee investigation # 54283.
Think Ghost in the Shell, programmers are considered 'weapons' or military equipment and thus need to register with the government and have to stay in the country, etc. (similiar to encryption is today)
Yes everyone should get a background check right from gas station clerk to CIO, and everyone should have to pee in a bottle, and submit to intrusive personal "psychological profile" questions, because the health of the collective is more important than individual rights, right? This is EXACTLY thee mindset of communism, and don't even try to tell me that you have a choice to work for a firm or not, if they all require background checks, peeing in a bottle, intrusive psychological tests, etc, then we have defacto collectivism.
R.I.P. freedom I miss you already.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
It seems that the croud here decries criminal background checks as useless or even counter-productive. And yet this is the same croud that villifies Diebold for hiring criminals. Go figure...
___
If you think big enough, you'll never have to do it.
A company I worked for in the 90's discovered it's night-shift word processing supervisor was a convicted felon when conducting background checks on a couple dozen employees, after wallets and purses started disappearing from the office near Christmas time...
The WP supervisor had worked for another company and copied a database onto floppies and then erased the production database. He tried to hold the data for ransom, but the company just had him arrested. He did a couple of years in the klink and when he got out he went to work in the billing department of a local utility where he deposited customer payments into his own account. He did a couple years for that as well...He had worked for our company for 2 or 3 months, virtually unsupervised.
The wallet thief turned out to be a mailroom guy who had worked there for years...
Goofy, Geeky Gifts and More!
How many others do the logic bomb or other white collar crimes who don't have a record of burglary and aggravated assault?
What was Ken Starr's background? Murder?
The most dangerous ones are the ones who come back empty. Sucks when this happens, and a background check wouldn't have hurt, but you gotta watch your people closely and hope for the best. IT is very dangerous, aggravated assault or not, you can easily get screwed over.
Companies should start by doing a background check of their CEOs and promptly fire them if any irregularities like a previous arrest or drug/alchohol violations are found. Once the people who could really do a lot of damage, like violate US/EU business laws, are investigated and dismissed, the company will be justified in asking rank and file to give up their privacy.
This is meaningless without also disclosing what percentage of employees as a whole have arrest records... off hand, I'd guess about 30% of ALL employees have a record of some kind! I've got a record a mile long mostly due to poor choices of companions, and I CAN be trusted with the root password for a large corporation.
previous arrest and drug/alcohol records
so what else is new.
The question you should be asking is not, "would a background check have prevented this", it's "how the hell could one person alone cause that much damage on UBS' network"?
One person should not have been able to push a logic bomb out to thousands of machines without several other people in the organization knowing about it. Isn't UBS publicly traded? The Sarbanes-Oxley Act should have required that their IT group be audited to ensure that controls were in place to prevent exactly this sort of situation.
Wow, this all has a ring of Hackers circa 1995. Don't tell me his background check revealed that he commonly went by 'Zero Cool', or wait maybe 'Cereal Killer'.
Any company that trusts someone with their deepest darkest secrets, and doesn't have the brains to conduct a bg check deserves what they get.
How would burglary and assault (um... 47 YEARS AGO) lead to logic bombs? (From the OP) How would this have helped?
From the article:
Using only publicly available information, Hershman found three incidents, including drug-related charges from 1980 and a tax violation, within 24 hours. Within three or four days, he says investigators found information on a conviction and incarceration from the early 1960s related to aggravated assault and burglary charges. A presentencing[sic] report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.
So... basically, 27 years ago this guy had a drug case, and more than 40 years ago had an aggravated assault and burglary charge. From this they were supposed to deduce that this guy was going to logic bomb them?
Or, according to TFA and Hershman, this would've been enough for them not to hire him at all or just for computer work? He doesn't say. I've worked in firms that would refuse to hire you if you had anything on your record.
Please note here that Mr. Hershman sells this service and I am not so sure that he would be considered unbiased.
Here is some guy that would have been penalized for something he did 40 years ago?
Talk about 2nd class citizens. Do they understand that over 2% of the population is in prison and a considerable portion of people living today have been in prison or convicted of some offense at one point or another?
One of the engineers I hired had a drug conviction, but it was clear that she was recovering and this was a good opportunity for her. That was several years ago. Do I feel bad about that? Of course not.
I understand why companies feel the need to do criminal background checks to absolve themselves of a possible lawsuit. (They are culpable if they hire an ax-murderer just released from prison and he axifies some people.)
I believe that some of this is designed to find a chink to break down an employee so he/she will accept less in salary.
"Hmm... you have bad credit. Oh look, you also have some speeding tickets. Now, how much did you say you wanted for the privilege of working here?"
Criminal background checks should be used judiciously in sensitive positions. IT is probably one of those... but companies shouldn't just rubber-stamp anyone with a conviction a "no hire".
I would be utterly screwed. I'm much reformed from my youth. As is, i'm smart enough to not go after gov't contracts and large employers. If more companies got this into their head they would lose some of the top admins that I know.
As long as we're not hiring fags or muslims it's ok by me.
Duronio aka Clark Griswold?
I have never been arrested for anything, what's to prevent me from doing something malicious? If I do, is my employer at fault for not checking me?
Background checks catch the stupid criminals.
I want to delete my account but Slashdot doesn't allow it.
The way that I look at it is this:
Your IS/IT people are less likely to do Bad Things(tm) since there is little or no reward in it for them. Upper levels of managment can embezzel funds, so can lowly finance interns. For them, there is the possibility of stealing millons of dollars over time.
For IS/IT people, what have you really done? It's a larger scale equivalent of breaking a window. You've caused trouble for other people, but there is no benefit to you.
Besides, IS/IT people are easy to keep happy for the most part. Let them have ownership of the network, don't micro-manage them, and buy them the occasional cool gadget. Want a 20" LCD? If the $300 is costs keeps you happy for 6 months, you can have 4. Want the most kick-ass computer in the company? For the $1000 difference it would take, no problem.
IS/IT people are important. They are the ones who know where your data is, how it's organized, and where it's backed up. Their needs are simple too. They mostly do IS/IT work because they like new stuff and gadgets. Throw them a new piece of tech every other month and keep their salaries at least comparable and you won't have to worry.
Disclaimer: I say these things about IS/IT people because I was one, then I managed them, and now I'm happy to just be one again.
Background checks are not the panacea that will make companies safe. Who says this background is acceptable and this is not? Background checks do not catch people who have yet to committ some "offense". If someone has say a minor conviction will they become almost unemployable? If you set a standard for new recuruits, who keeps updating background checks on long serving emplyees who committ offences outside of office hours? Should these existing "loyal" employees be FIRED if they don't meet the new hire "test" score?? Where does it all stop? Anyone willing to bet that the empoyer, in this specific case, didn't supervise or manage this newer employee well enough and that there were signs he was going to do something silly? Blaming no background check instead of a possible lack of management supervision sounds too easy.
just shows how noobs like you turn javascript off in their browsers or get infested with spyware..
Now telling me exactly who is running background checks for all those jobs you outsourced overseas... will you still think you're getting such a good deal for you money when they start transferring your customers' funds to their own accounts?
And you have the right not to work for anyone who requires a background check. Just like someone who requires a background check has the right not to hire you for refusing to take one.
Welcome to the free market.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
by companies that realize, accept, and act-on, the fact that someone who has complete control of your IT infrastructure is not some easily replacable cog-in-the-machine, but someone who has complete control of an essential part of your business on whom you are relying on for your continued income. Gee, if I were the CEO of that company, I'd want to have at least be on first name terms with that guy, maybe talk to him in person from time to time.
No, seriously. I have worked as a security consultant for financial firms; I have been an IT admin for brick-and-mortar shops who cared more about production line breakdowns than integrated, SQL-based inventory controls. This decision will be a result of each company taking a long, hard look at risk management, not some company who wants to use background check to make lives miserable for its applicants.
To wit, I was called into a local electric utility company to do a risk assessment after one of its ex-employees threatened to launch attacks from the outside because he was canned.
Just as technological risks are no longer confined to outside the perimeter, risky new hires can cause you endless nightmares. If you value your assets and want to have a basis for trusting your employees, do the right thing. The clean ones will respect you for it; the less-than-clean ones will be denied access. Your call.
Not too imaginative or intelligent, fortunately for UBS Paine Webber.
If this guy was any smarter he would have covered his tracks like the BOFH.
At least he could have staged a virus outbreak or something else that is easily deniable.
The article is just fearmongering. Aside from the questionable use of statistics that others pointed out, many of the choice quotes are from sources that are hardly objective, such as "Howard Schmidt, a former White House security adviser and now president and CEO of R&H Security Consulting" or a a "Ken van Wyk, principal consultant with KRvW Associates," which, you guessed it, is a security consulting firm. It's like asking a telemarketer if he thinks you need a new long distance plan. Of course these people are going to tell you everyone's out to get you and they have the answer, all based on the strength of one horrific case study! Sure, you need to check up on people with, as they put it, the keys to your kingdom, but the analysis in TFA is hardly a basis for a level-headed, thoughtful discussion.
Even as you read this, your pants are strangling your loins! Aaa!
If he lied on his application, a good background check will reveal this. This goes for all employees, from the guy who mops the floors to the guy in the CEO's office. Remember, the guy you hire to mop the floor may be working on his CS degree and become your IT guy in 3 years. 15 years later he may be the CEO.
Catching a liar is much more valuable than disqualifying a murderer or embezzler. The former obviously hasn't learned his lesson yet.
As for protecting your systems from bad acts, keep audit trails. Where necessary, have independent systems log all administrator activity, and make sure those logs get stored in a difficult-to-erase-without-raising-alarms location, like magnetic tape on a machine your admins don't control. Change the tape daily or more and never recycle.
Use the concept of least-privilage. Make sure admins have the tools to do the work they need to do, where they need to do it, when they need to do it, and no more. Critical systems should have multiple approvals required to effect changes.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
was supposed to include a red swingline!
right ? or helped HP shareholders in their boards criminal spying ? or prevented Worldcom ?
its astonishing that getting arrested for being drunk is deemed worse than ripping off thousands or millions of people for life savings
when you go to a job make sure you know the history of who you will be working for , perform your own background checks on the directors and executives, not criminal checks mind , start at the SEC and yur local business bureau and see if you can trust your prospective employer how many companies have they run ? how many went bust ? namechanges ? faulty accounting ?
Where will I be able to buy my weed from if they find out our BOFH has a cultivation of marijuana arrest twenty years ago?
When the only tool you have is a hammer, every problem looks like a nail
They lost in excess of 3 million dollars. That's not "poor baby" money. Their customers were hurt; their reputation was damaged.
Contribute to civilization: ari.aynrand.org/donate
I think the label of criminal is kind of being tossed around like a kind of boogie man, some clearly designated type of human who is scientifically proven to be more prone (if not certain) to steal and destroy the property of anyone fooled into hiring them. I don't think this has any basis in reality, and background checks serve more as PR and a way to placate the public into a false sense of safety than anything else. In reality, every workplace I've ever seen, technical or otherwise, was full of "criminals" who had never been caught and for whom background checks would provide zero protection. Humans are quite often greedy and selfish and inclined towards breaking rules when they think they can get away with it. I've had bosses who used background checks to screen employees while they themselves would steal hardware from the office. I wonder how many (much less sensational stories) of IT workers without criminal histories stealing from their employers aren't being reported... I personally have a criminal record, dating back to my teenage years, and am now in my late twenties. I understand an employer's apprehension when considering me for a job, even after all these years of living a constructive life, but I believe the roots of that apprehension are manufactured by the media. In reality, it is a huge task for an ex-offender to go to school and even develop the qualifications for IT work, and in my personal experience and from volunteering to help employ other ex-offenders, I believe someone who has invested that amount of effort into pursuing that career is far less likely to throw it away by doing something stupid. Most active criminals/addicts can't hold it together enough to get through college and perform the duties expected of an IT worker. They don't invest huge amounts of effort and time playing it straight for years so they can infiltrate companies and ruin everything. This character seems like an aberration to me.
They lost in excess of 3 million dollars. That's not "poor baby" money. Their customers were hurt; their reputation was damaged.
Money is a myth- it's not like they lost any LIVES. Get a grip and get some perspective, guys. You failed to do your due dilligence and you paid for it. Financial dealings in a chaotic market are not the end-all-be-all of the universe.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
But don't let that be the only means. When hiring someone in a security sensitive position, do a LOT of little interviews. Take him to lunch a couple of times. Get various people to interview him in their own ways and have them report back their "feelings of trust." Check references with more than a phone call. Take THOSE people out to lunch too.
You might end up buying a lot of lunch, but what you want to know is what is this person REALLY like and that takes personal interaction. His "first offense" could be against you! So don't think it's all about the criminal checks.
Basically, you want to find out just how important and powerful this potential hire thinks he is. If he thinks he's too powerful or important, don't bother hiring those jerks. They are often more trouble than they are worth. You want someone who cares more about the job than himself.
it used to be the background check was called "checking references", and was done by the manager or HR. Previous employers were contacted, and if there were bad vibes, the candidate was passed over. This would tell a company far more than background checks.
Schwab has been doing background checks on their IT staff since at least 1998, when I started there. They also record all phone conversations, emails and open all your mail.
They make their money by providing a service. It's not a lot different from the bay doors at an automechanic being shut all day long. They still have costs, and can't charge for fixing cars because they can't get any in the door. It's still real money they're paying out, and real money they can't make that they otherwise would have.
SIG: HUP
I too, have been at this for a while. The ONLY place that did a drug screen was for "the phone company". Gah! the clock-punchers there could have used some drugs, IMHO.
Over my career, I've had my fingers on the button for "big money" financial types, military stuff, and other things. Right now I have VPN access to various companies where I could, if I were of a mind to, make some "adjustments" to content that would probably find their way to the public. I was not tested or screened for 90% of my 20+ years of work in IT.
That said, if I were a jihadist wanting to do some damage, I wouldn't fail a drug test or have a criminal record, so test/screen away!
This issue is a bit more complicated than you think.
A background check could filter out a lot of bad people.
Perhaps, but will a background check filter out a person who doesn't have a record? What happens if you piss of your sysadmin (for whatever reason)? You may get a similar situation as UBS. How is a background check going to help you there?
If anything, a psychological profile would be the proper approach. Ask, "Does this person, with a clean record, hold the propensity to go postal (aka, rm -rf *) ?" How many people graduating with a CS or IT degree have a crime-addled past? By and large, very few, I would assume, but that's assuming from experience. Not too many of my coding-nerd/dork/geek friends hold outward, violent contempt towards people. However, some of them seem to harbor a deep-seeded disdain for certain organizations, groups, etc. None of them have ever been in trouble for any reason, but what if you pissed one of them off for any reason? I can't say what one of them would do. Perhaps they would do nothing, short of quit their job, but no one can be certain what _any_ person will do when faced with extraordinary duress.
Personally, I believe if we were to go down the road to psychological profiling, we're treading in dangerous territory. Something along the lines of Minority Report meets Gattaca.
No sig for you! Come back one year!
Background investigations on the employee are next to worthless, in my book.
First of all, too many companies only do an initial bg check, and never do periodic checks. Second, they don't do true investigations, by interviewing people (references, neighbors, family, friends, etc). Finally, do they investigate the spouse/SO, children, parents, siblings, and/or in-laws?
Stop and think about that last one. Most people can take take the hit on something they've done personally. But what if their family is placed in harm's way? Spouse has a credit/gambling problem; kids have a drug problem; older parents don't have insurance, and need expensinve medical care.
The point is, commercial background checks are irrelevant. They only capture a fraction of the total influences upon a person.
I have a family relative who is a senior HR executive and you would not believe the stuff she sees. The vast majority of people lie with degrees and experience and many have criminal backgrounds. More than half plainly lie or use family members as references. People who were once criminals have trouble finding jobs and are very likely to keep applying until someone doesn't notice. They make up a very large majority of desperate applicants with false resumes.
She ends up firing quite often over this
http://saveie6.com/
There isn't a blanket rule. If the cost of running background checks is greater than the liability that running them protects you from, of course they are a bad idea. On the other hand, if you can spend money to save money, well, you do it.
Nerd rage is the funniest rage.
Yes, but it's not like lives are at stake- these things happen, and should be taken in stride.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Works in North Korea!8-))
25) List any criminal convictions.
26) List all Slashdot id's, past or present.
especially when in the background there's a guy snickering and swearing under his breath while typing frenetically, then running out the door
Hell, no!
most (all in this case) stock broker trades defy logic and are made by buffoons, so the little bit of software that stopped the trades seems to have worked perfectly
they're useless against crap like this.
What would the smart masses with drug or alcohol related convictions do when being denied getting honest jobs?
/. nick with my name (or even ASK) for the purpose of background checks and I can not risk that - also I am currently slightly tipsy.
I imagine an IT security professional who can not get a descent job anymore in the field he/she is realy good at because of stealing some rubbers at the age of 17 or because of smoking some pot. I could well imagine that this guy might decide that if his service is not wanted legally, he might as well use it other ways.
The criminal sector is desperately looking for such talents as the stream of revenue through online crime constantly continues to rise...
Like they say, outlaw talented CS guys with grey spots in their files from the market and the criminals will be the only ones who employ talented CS guys with grey spots in their files.
Especially with IT security jobs, I guess that some of the most talented spirits might have been caught at doing unlawful things like thinking for themselves and therefore trying drugs or even [cough] breaking into IT systems when they were young and wanted to explore their capabilities and the world. (Mitnick anyone?)
But maybe that's just me...
Besides that, I would tell you more about my personal history as well as my profession and not post as an anonymous coward, but someone could eventually associate my
Furthermore I am pretty convinced that the best way to prevent someone from placing logic bombs in your organisations IT infrastructure is by not pissing them of and treating them accordingly. This is why I, as a security professional, hesitate to restrict the freedoms of our employees to much although it would be the best thing to do security wise, because they are already way to underpaid and have to work far too much and restricting their last freedoms like to view JavaScript thingies or to view funny PowerPoint files might piss them off and the consequences thereof could be far more devastating than the one virus that eventually slips through all of our lines of defences.
-b.
...but don't think it protects you completely. You don't really have any way of knowing this guy hasn't stolen somebody else's identity... Or if he just has never been caught for his misdeeds... ...but WOW, I can't believe a company that big wasn't doing background checks on EVERYBODY, at least when they hired a full-time employee. You never know what your psycho co-workers are really all about... They work with you, but at the same time, in a lot of ways they are total strangers.
Don't know if every company needs to do this, but certainly, every smart company should. If you can't keep yourself out of JAIL, as a potential employer/manager I want to know that.
Who did what now?
6 or so years ago, I was a junkie. I was young and stupid. I'm feeling much better now, and wouldn't even consider any real crimes. But on the job market, I'm screwed, thanks to background checks. I've paid my debt (restitution and prison), and have skills to offer. But try checking "yes" to "have you ever been convicted of.." and you're screwed. My best hope these days is that they're too busy to check.
Good thing we won the cold war. Now we're safe from totalitarian governments that spy on their own citizens and maintain huge files that determine future employment prospects. In our free country, our employers do that instead.
Oh yeah, now the government AND the employers do it here.
There will come a day when neither governments nor employers can violate privacy like this.
And I'm sick of the justification of every intrusion or outrage that it might (or even will) prevent something bad from happening. Fine. Let it happen.
Get your teeth into a small slice: the cake of liberty
would be more productive given some of the corporate scandles we've had. That's where the big losses have occurred.
Odd that the FA entitled "Are Background Checks Necessary For IT Workers?" would have a hyperlink on "computer" that links to a junior high school definition of a computer ??!!
From the link:
The computer can selectively retrieve data into its main memory (RAM) from any peripheral device (terminal, disk, tape, etc.) connected to it...
Just kind of strange.
Now, if you'll excuse me, I've got some idea balls to remove from a manatee tank.
Frankly, I'm afraid of my IT workers coming up squeaky clean on background checks. There are 2 possibilities for such a thing to exist.
1) The IT worker know ethics better than Kant, can recite security policies and procedures blind-folded, probably from writing them, and has the emotion and personality of a toaster.
or
2) The IT worker is socially acceptable, mingles well, and seems TOO ordinary. Your IT worker has probably hacked into the appropriate systems to correct any past blemishes that might hinder his career in the industry. You won't be able find the references he lists, and his listed skills are legit, but all the previous employers are no longer in business.
Yup. That sounds right
Two other things to consider about them though:
1.) *Good* background checks cover more than just criminal record searches. (Sloppy checks are nothing more than database lookups.) For someone who's about to step into a highly secure situation, let's say a bank programmer responsible for clearing transactions for instance, there are any number of additional checks that should be done, among them a credit report.
(A credit report?! There are *countless* cases of people across the globe who get pressed too far by debt selling company secrets and/or stealing to save themselves from the creditors. It happens. Credit checks may help in that case.) Which leads me to my next point.
2.) Background screening like we do (shameless plug) is an intensive process. Screening reports are not by any means meant to be "yes"/"no" hire/don't hire reports. Instead they're meant to help employers make decisions based upon their needs and risk tolerance.
All that said, on the surface it may seem that conducting pre-hire investigations on those 70% may *not* catch some portion of those who would commit criminal acts like those described in the original article; however, quite often a good background check *will* turn up certain things that might just make an employer want to pause and reconsider their hiring decision for a given job applicant. (Wow, what's with all these arrests on drug charges...." for instance.)
In instances like those chances are a good portion of the applicants that would fall into the category that might give an employer pause would also be the very same ones who would later go on to be in the 70%.
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
This is a topic I've been curious about for a few years now. From about the age of 14 till I was 23 I've racked up many misdameanors and felonies as I went through life doing drugs and being a loser. I'm 26 now and have cleaned up since I was 23. I'm a student right now wondering if when I go for an interview or fill out an app if I should lie about my past or put down the truth and hope I'm given a chance. In the past I've lied and gotten many jobs, but its mostly construction, labor, grunt work that nobody ever does a background check on. I actually work in a factory that makes anti-theft boxes for vehicles. And I lied on the app for the temp staffing company that got me a permanent job there because they do not accept felons of any kind. It actually said on the app STOP if yes to question #12. From experience I've found that telling the truth is 99% guaranteed to have your app thrown in the trash. However from what I read here they actually do backgrounds checks and I've seen that in the hire ads at monster, dice, etc. For anybody that knows, should I maybe have low hopes for getting a job in IT because of this?
Should I lie and hope I slip through the cracks and hope some more my past is never revealed?
Should I tell the truth and burn gas to the next interview hoping I'll find somebody open minded?
My record is burglary, theft, dui. Nothing violent or job-related.
Yeah I know I brought this on myself but if I'm never given another chance am I supposed to do manual labor making 9 dollars an hour the rest of my life as punishment?
BTW, at my current job, I see "clean" employees steal things, yet I never do.
your network is just as down whether the outage came from an error or from malice. Change control is imperative no matter what.
Background checks won't prevent screwups, and they won't prevent the employee from developing a drug problem after you hire him/her.
We're going through enough of a hard time as it is trying to obtain and hold onto employment in the face of outsourcing and the trend in making everything contract.
Please dont front page stories like this which just promotes them and makes it even more difficult for us.
http://www.livejournal.com/users/cixel
There is no such thing as a stupid question. Just stupid people asking questions.
-- some comic strip I read in the last month or two
...maybe we should ask Diebold how that works out.
About six years ago the company I work at hired a guy in the QA department. I worked with him on a project briefly. He was a friendly sort, but he tended to show up to work late, would fall asleep in meetings. Talking to him, he mentioned his home business and how grueling it was. He even talked about having a business plan and everything.
Well eventually this poor performance all caught up to him, and the project he was working on wanted him replaced. The manager spoke to him, and he asked for a few days off to get his head straight.
Come Monday he called to say he'd be out all week.
On Wednesday the police showed up looking for him.
Turned out he'd been running a brothel out of his home.
Fortunately nothing bad happened at work, other than the lousy work. But he also had a conviction from the past for striking a police officer. But nobody did a background check and they never realized this.
We also once had a guy who worked in the IT Operations area who was going around at night stealing things off of desks, taking them down to the mail room and putting them in FedEx containers and shipping them to his family in the Phillipines. Laptops, ipods, whatever. It was quite bold, especially to use our FedEx account for shipping.
"What do you know about your own people?"
Wonder what those people would find out about the management and shareholder types if THEY had to go through background checks and be accountable to the people they manage...???
Anymore closet Ken Lays or Bernie Ebbers out there??
They caused more damage, cost more money, ripped-off more people (workers, shareholders, and average-joes) than ALL of the others, times 10 raised to the 53 power... and then some.
I say conduct all the background checks you want-- but let's start at the top and find out who's really running these shows.
They're an invasion of privacy.
And I want to be clear: That Coffee Urn really did look like a Urinal.
And their toes (so they can't code with their feet).
If you have seen this comment in code with a date and initials AWH you took over support from me. My sympathies.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
in India, where the FBI has no jurisdiction and said programmer/designer can be bribed for pennies on the US dollar.
--- Grow a pair, liberals... stop letting the Republicans bully you!
At this stage in your life even if you were a boy scout none of the jobs you are doing are more then steps up. Use them like they use your young stupid long hour working ass.
Work for a medium (or smaller) sized business. They are much less likely to do background checks.
Don't lie on federal or state job applications or anything related to security checks. For that you go to PMITA prison.
Lying to any HR drone will, at worst, make them cross with you. They won't hire you. Which they wouldn't have done anyhow.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
To head of marketing.
Pay for his lawyer if you have to.
Put him in charge of hiring the admin staff. Moral would skyrocket.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
It has nothing to do with who is reading your email, unless you are completely paranoid. You seriously want to tell me a background check will tell management/damagement that the person they will be employing is actually going to have a meltdown. Fine it might tell them he/she has had a meltdown before. It's more about the way they treat their employees, regardless of department or job function.
Comment removed based on user account deletion
A sysadmin with a clean background check could just be a sysadmin who has never been caught.
Doesn't mean they won't read your email or plant a logic bomb.
Does this comprehensive background test include a cavity check as well?
Background check discussions always amuse me. I work as a contractor, often subcontracted out to Tier 1 vendors to work their contracts for large corporates implementing identity management solutions. Never once have I been questioned by _anybody_ before they hand the crown jewels over to me. And this is from sites that absolutely require checks performed on prospective employees. Luckily for them I am honest... not all contractors are...
its not whether or not a potential employee has a record (imho). It is whether the employee was HONEST about any prior run-ins with the law.
Take this example:
I interviewed four individuals for a networking tech position. The first individual was just out of school, not very sure of himself, and didn't really have a very high view of his own abilities during the interview. He did bring several certificates of completion of tests, etc from MCSE, CCNA, etc. When asked, he told me his only run ins with the law were traffic tickets.
The second individual seemed very well versed in all aspects of the position he was applying for, and seemed to really know his stuff. He seemed a genuine nice guy, who was very enthusiastic about the position. He did, however, seem to speak a bit TOO highly of himself. More of boasting rather than communicating his skills. When asked, he told me his only run ins with the law were traffic tickets.
The third individual was an older gentleman, a supposed "veteran" in the field. However, during the interview, he seemed to have a completely skewed understanding of modern networking. "Stuck in the past" so to speak. When asked, he told me his only run ins with the law were traffic tickets, and an arrest for drunk driving ~10 years prior.
The fourth individual had little in the way of "structured" education, but had a significant history of on the job experience. He wasn't young, but not old either. He didn't have much for "up to date" certifications, but when asked about current technology, etc, he was able to provide a very knowledgeable overview of the current technology, etc. Before asked, this individual informed me up front that he would have a record. He explained he would have a drunk driving and assault conviction that he had served time for, as well as several traffic tickets. However he assured me that they were older offenses, that he was an AAA member, and that he had SUPPOSEDLY been sober for 3 years.
Now, out of these four candidates, which do you think i hired after background checks?
Here is how the background checks panned out.
First individual - background check in line with claims, aside from a misdemeanor drug possession charge.
Second individual - had a significant history of assault and drug charges, as well as a charge for illegal weapon possession and fraud.
third individual - completely clean background, not even the claimed drunk driving charge
fourth individual - background check matched exactly what the individual described, and supported, (at least charge wise) that he had been clean for 3 years.
Now again, which do you think i hired?
.
.
.
.
The fourth, of course.
Another aspect (and often even cheaper) is the simple fact that they should be treated with respect. This is true for all employees. Simple matters of politeness and fairnes. If then you give them a reason to be loyal (no, it's not about the salary) you've evoided much trouble. If on the other hand you play games on your employees, they will fight back. I can't even blame them on that.
Idha khatabahum lijahiluna qalu salaman
Imagine a cop who states, quite truthfully, that he could kill an innocent person and never see jail. That cop then states that he would never do that.
Would you be concerned?
Blar.
Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit treason based on personal needs that need to be resolved, right now. Most commonly financial reasons, it is why Aldrich Ames and Robert Hanssen both defected to spy for Soviets.
....as long as people are involved, security threats can never be completely eliminated."
What's the ideal solution? Make your employees happy, pay them more, etc? It's difficult to stop good people from going rogue, and even worse doing pre-screening. Note even a single scope background investigation and polygraph works (see above)
And to quote Cherkashin, "The only way to be safe is to remove people from intelligence gathering,
I know that if I, the omnipotent rewt on machines most people don't even remember exist, went on a rampage and trashed everything ...
Sort of a built-in check in that respect!
I've worked for a LOT of places - some were banks. My wife works for a brokerage. Trust me, for every one of those jobs, we not only had a regular background check, but were fingerprinted, and the prints run
They actually called my wife back on one of them - at out old house, there was a woman with the same name 1 block away, so our addresses were 1 digit different. That woman had "problems". This has actually turned up 2-3 times, including at our house closing - we had to certify that my wife was NOT the other woman - they took our word, but had to sign a paper
I've held security clearences - they don't prove that you won't do something wrong too - BUT they do tend to get rid of SOME of the chaff - yeah, you lose some wheat too, but...
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
What percent of the working population at-large has been arrested at some point in their life? If it's more than 30%, previous arrest could be a good thing for companies. In any case, you'd have to factor-in the overall working population's 'arrest rate' to the equation to see -how much more likely- a person who's been arrested is to commit a workplace crime than someone who hasn't.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
"its not whether or not a potential employee has a record (imho). It is whether the employee was HONEST about any prior run-ins with the law"
Best not to say, they are usually too stingy to pay for a background check.
davecb5620@gmail.com
I recall a case when someone wasn't paid and was enthused to leave the company. He put a logic bomb on the system that disabled it when his account was deleted. The company sued him and won. He had no prior record and given the number of executives being jailed by the SEC I don't think such background checks are of any use.
An aquaintence of mine does IT contractual work and it is generally quite difficult to get money out of people. He did some work for an Architect company who asked him to unlock a password protected zip file containing drawings. You see they were in the habit of not paying for work done. The drawings were for a contract worth £50,000 so talk about being stingy. They used also forget to pay him. He got fed up with chasing up people for non payment so he devised a script that disables the computer after two weeks. When the inevitable phone call comes he 'fixes' it remotely.
davecb5620@gmail.com
In one job I worked, my manager found out about how I was doing financially. This was a basis to deny me a pay increase. I have no debt. The cars & house are paid off. Basically, I was smart on how I spent my money. It pissed him off. This made it basically impossible for him to buy me off like other people who are especially heavily leveraged. When the pay increase came, I didn't get one. I found this out through second hand sources.
I confronted him on this and he basically said it was easy, take your SS#, have a friend run a credit report. Just that simple !
This has been happening in IT for decades already. Everywhere i have worked has required it. ( one even required security clearance )
Hell, they even do background checks on burgerflippers these days.
---- Booth was a patriot ----
First, every form you fill out before starting asks if you have a criminal background, and states that you can be fired for lying. The background check for an ordinary job is "guilty until proven innocent". The piss test is more so, and an invasion of Fourth Amendment rights, and I make *sure* that my statement to that effect goes into my personnel records.
Second, though most job applications say that a previous conviction will not completely rule you out, I know, from the experiences of someone close to me, that it overwhelmingly *DOES*. Let's see, so they should rehabilitate themselves by getting jobs as burger flippers, regardless of their advance degrees and years of experience, right? And this won't encourage recidivism, either.
(Doonesbury, many years ago:
Dealer: you want me to give up dealing, and bringing down $50k/month, and
get a job flipping burgers, right?
WoD person: That's right.
Dealer: Can't do it. I'm allergic to grease fumes.
WoD: We have a program to help you with that.)
Finally, WHAT THE FUCK IS MANAGEMENT DOING? They hire somebody, there's no q/a, there's no actual code review, and then "oh, he fooled everyone, so we need to check everyone, so that we managers don't have to know what the people under us are doing".
Oh, and hadn't the rest of you noticed that, in the last few years, all of a sudden, every job wants to do a credit check on you?
Welcome to the new [state|city|company]. Papers, please, mein herr|damen
mark
The kind of background checks that were done 20 years ago wouldn't be a problem. A credit report (which by law you can obtain and correct), criminal convictions, that sort of thing. Pretty much everything comes out of public or quasi-public records.
These days, companies like ChoicePoint are offering data products mined from a wide array of sources. There are many problems with this approach, starting with the fact you did not consent for people to share your data for this purpose. In the US, the Fair Credit Reporting Act supposedly regulates some information products used for this kind purpose, but there are many ways around. The same kind of information that you have a right, under FCRA, to contest and correct in a credit report can appear in a background check... and lots more.
You have no right to know or contest what is in a background check. Particularly the cheap kind that are sold almost as shrink wrap products.
The information on the background check can be simply wrong. I had a modem line in my house for a short time, less than two years. Possibly because I had it for a short time, the number got recycled fairly quickly after I had it disconnected. Recently I ran a background check on myself, and found data that had nothing to do with me in it. Looking at it carefully, it turned out to apply to the people who got my old modem phone number.
What if those people had been criminals, or terrorists?
Here's another eample. A couple of years ago, a big box store in our area went out of business. A few months before the store went belly up, we had spent $15 there. Later, we got hundreds of dollars of charges on our credit card: somebody at the store ran our credit card number through dozens of times, apparently to bring enough cash to keep it afloat for another month. We told the credit card company to decline the charges. If the information that we had hundreds of dollars of unpaid debt ever appeared on our credit report, we could challenge it. But if it appeared in a background check, we wouldn't even know.
Even where information is correct, it might not be complete. For example, suppose the creditors in the store incident took us to court. That could appear on our background check. But if the judge dismissed the case, it might not appear in the report at all.
Wouldn't a more accurate background check be better? Yes, but it is more expensive. The background company can sell a much cheaper product if they tolerate a lot of mis-information that shows unlucky people in a false light. The employer can tolerate false positives too, unless it is unusally important to hire the best possible person. In those cases they could double check the background check if they aren't scared off; or they could purchase a better background check. Having a selection of price/quality in background checks benefits the employer and the data companies. It's bad for everyone else.
Background checks are a good thing. Inexpensive background checks are a good thing. Cheap (as in shoddy) background checks, which contain information you cannot see, much less contest or correct, are a very, very bad thing. At the very least, the information in the background check should be shown to you first, and you should be able to challenge it before it goes to the employer.
A better system would work like this: somebody ought to offer a "bonded worker" product. You, as the employee, would hire a trusted and respected company to do a background check on you. The bonding company would then produce a risk profile based on the information in that background check, and show it to you. You could query various findings and view and contest the data used to arrive at them. When the report is mutually acceptable, the report would be sent to your prospective employer. If that employer had any special concerns, they would submit them to the bonding company, who would draft a response which you could review and challenge. At any time you
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
On the other hand, people who commit murder or sexual offenses (whether it's in their 20s, 30s, 40s or 50s) won't even have a parking ticket in their name. I feel like they just snap one day. So in this regard, background checks are worthless.
Then that means the background checks aren't completely worthless... they'll let you find who is "squeaky clean" and then you can avoid hiring them.
When you find someone who has the occasional traffic ticket, or got caught smoking a joint once in their early twenties, you can be assured you have then found someone who is on a more "even keel" psychologically, and therefore more normal.
You don't get a good credit score by not being in debt. You get a good credit score by managing debt well. The credit agencies like to see people who rack up large amounts of debt and then slowely pay it all off without missing a payment. If you do everything on a cash basis, you will have a crap credit score.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Yes criminal checks are ok.
I have nothing to hide.
Credit check, Hell NO
What by credit looks like is non of their business.
I actually lost a 155k year project because I would not allow the staffing firm run a credit check.
-- I am the NRA, enough said...
I have a conviction that's 11, nearly 12 years old. With that, I'm been consistently employed since I graduated - doing a fair bit of development in several Fortune 500 companies. It has actually only kept me from 1 job. Usually some exec or some such has to clear me as the exception to the rule. I tell them about it after the interview (when they've determined that they want to hire me), and well before they actually perform the background check. I've never hidden it that's for sure.
;)
Every job I've left (3 in 4 years) was a move to a better position. If anything I'm more careful about following company policy - I have to operate above suspicion given my past...
Doing something dumb as a drunken high school student doesn't mean you're the largest risk there ever was... the crazy half educated frat boys in marketing and sales scare me far more...
I'm hoping they throw the book at this guy...
Oh BTW - arrest was for armed robbery and interstate flight
I'd say any sysadmin that was good at being bad wouldn't have anything show up on a background check anyhow. However, if they are either good, or evil but dumb, then by all means, background checks help... assuming you judge the nature of the crime to some extent. Of course, if they've been busted for 5 computer-related felonies, then there you go.
stuff |
If you tell me on your application that you are a perfect tenant, pay on time, just moving across town to a bigger apartment, great. But you'd be surprised how many times I pull credit and see the person is from out of state and moved because he's got 12 judgments against him from former landlords, and the local utility won't provide service to him 'cuz he owes them $5,000.00. I'm sorry, but where I live it gets cold, and if you don't pay your electric bill, my pipes are going to freeze and that's more damage than you can afford to pay for, buddy.
So, perhaps that is what employers are looking for. Validation that you aren't totally full of it. I've never heard of someone being denied employment because of a low credit score. I have heard of people being denied employment for lying on their resume or during their interview. "I see from your resume you attended Harvard. Tell me, why did you have electric service in your name in Mississippi and then in Alabama during those 4 years? Correspondence course?"
That's what I use credit checks for.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Clean yourself up and then try again in a few years. Shesh.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
\ | /
==== O - <-- Joke
/ | \
( )
_|_ <-- You
|
/ \
"You and your third dimension."
The relevant code section is below. Minor misdemeanor possession of marijuana is the only minor misdemeanor offense that I am aware of that is a non-public record.
ORC 2925.11
(3) If the drug involved in the violation is marihuana or a compound, mixture, preparation, or substance containing marihuana other than hashish, whoever violates division (A) of this section is guilty of possession of marihuana. The penalty for the offense shall be determined as follows:
(a) Except as otherwise provided in division (C)(3)(b), (c), (d), (e), or (f) of this section, possession of marihuana is a minor misdemeanor.
(D) Arrest or conviction for a minor misdemeanor violation of this section does not constitute a criminal record and need not be reported by the person so arrested or convicted in response to any inquiries about the person's criminal record, including any inquiries contained in any application for employment, license, or other right or privilege, or made in connection with the person's appearance as a witness.